“GoDaddy is a publicly traded Internet domain registrar and web hosting company. As of 2014, GoDaddy was said to have had more than 59 million domain names under management, making it the world’s largest ICANN-accredited registrar. It serves more than 12 million customers and employs more than 4,000 people. The company is known for its celebrity spokespeople, Super Bowl ads and as being an online provider for small businesses. In addition to a postseason college football bowl game, it sponsors NASCAR. It has been involved in several controversies related to security and privacy. In addition to domain registration and hosting, GoDaddy also sells e-business related software and services.” (Wikipedia)

(2.1) When a user is redirected from Godaddy to another site, Godaddy will check whether the redirected URL belongs to domains Godaddy’s whitelist, e.g.
google.com
apple.com

If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Godaddy to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Godaddy directly.

One of the vulnerable domain is,
google.com

(2.2) Use one of webpages for the following tests. The webpage address is “http://diebiyi.com/articles/“. Can suppose that this page is malicious.

(3) What is Covert Redirect?Covert Redirect is a class of security bugsdisclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.